Description
In the Linux kernel, the following vulnerability has been resolved:

bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded

bond_option_mode_set() already rejects mode changes that would make a
loaded XDP program incompatible via bond_xdp_check(). However,
bond_option_xmit_hash_policy_set() has no such guard.

For 802.3ad and balance-xor modes, bond_xdp_check() returns false when
xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually
absent due to hardware offload. This means a user can:

1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode
with a compatible xmit_hash_policy (e.g. layer2+3).
2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.

This leaves bond->xdp_prog set but bond_xdp_check() now returning false
for the same device. When the bond is later destroyed, dev_xdp_uninstall()
calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits
the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:

WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))

Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an
XDP program is loaded on a bond in 802.3ad or balance-xor mode.

commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")
introduced bond_xdp_check() which returns false for 802.3ad/balance-xor
modes when xmit_hash_policy is vlan+srcmac. The check was wired into
bond_xdp_set() to reject XDP attachment with an incompatible policy, but
the symmetric path -- preventing xmit_hash_policy from being changed to an
incompatible value after XDP is already loaded -- was left unguarded in
bond_option_xmit_hash_policy_set().

Note:
commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode")
later added a similar guard to bond_option_mode_set(), but
bond_option_xmit_hash_policy_set() remained unprotected.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an oversight in the Linux kernel bonding subsystem. When a native XDP program is attached to a bond interface operating in 802.3ad or balance‑xor mode, the system permits the xmit_hash_policy to be changed to vlan+srcmac even though the existing XDP program would no longer be compatible. This mismatch leaves the bond still holding a reference to the XDP program, and when the bond is later destroyed the kernel attempts to uninstall the incompatible program. Because bond_xdp_check() rejects the configuration, dev_xdp_uninstall() triggers a WARN_ON and returns -EOPNOTSUPP, potentially leading to a kernel warning or instability. The vulnerability therefore can cause service disruption or a denial of service through kernel panics or crashes, but does not provide a direct remote code execution path.

Affected Systems

Affected systems include all Linux kernel implementations that support bonding, 802.3ad, and balance‑xor modes with XDP. The vulnerability applies to Linux kernels that have not yet incorporated the fix contained in commit 39a0876d595b. No specific version ranges are listed, so any kernel prior to the application of that change may be impacted.

Risk and Exploitability

The CVSS score of 5.5 classifies the issue as moderate severity, and the EPSS indicates that the likelihood of exploitation is very low (under 1%). The vulnerability is also not listed in the CISA KEV catalog. Exploitation requires local privileged access to configure bonding options and attach an XDP program, so the attack vector is local. Because the flaw is limited to kernel configuration and does not provide remote code execution, the overall risk to an organization is moderate and primarily dependent on whether the affected infrastructure relies on the vulnerable bonding configuration.

Generated by OpenCVE AI on March 26, 2026 at 14:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains commit 39a0876d595b, removing the vulnerability.
  • If a kernel upgrade is not yet possible, do not change the xmit_hash_policy to vlan+srcmac on a bond that has an XDP program loaded; instead keep a compatible hash policy such as layer2+3.
  • Verify the bond_xdp_check() result before making configuration changes.
  • Monitor system logs for WARN_ON messages related to XDP uninstallation.
  • Keep the kernel updated and review vendor advisories for future patches.

Generated by OpenCVE AI on March 26, 2026 at 14:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703
CWE-704

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1288
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703
CWE-704

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard. For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This means a user can: 1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode with a compatible xmit_hash_policy (e.g. layer2+3). 2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded. This leaves bond->xdp_prog set but bond_xdp_check() now returning false for the same device. When the bond is later destroyed, dev_xdp_uninstall() calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering: WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL)) Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an XDP program is loaded on a bond in 802.3ad or balance-xor mode. commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP") introduced bond_xdp_check() which returns false for 802.3ad/balance-xor modes when xmit_hash_policy is vlan+srcmac. The check was wired into bond_xdp_set() to reject XDP attachment with an incompatible policy, but the symmetric path -- preventing xmit_hash_policy from being changed to an incompatible value after XDP is already loaded -- was left unguarded in bond_option_xmit_hash_policy_set(). Note: commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode") later added a similar guard to bond_option_mode_set(), but bond_option_xmit_hash_policy_set() remained unprotected.
Title bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:04:24.623Z

Reserved: 2026-01-13T15:37:45.994Z

Link: CVE-2026-23310

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:27.160

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23310

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23310 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:58Z

Weaknesses